Today we are issuing patches for two newly disclosed security vulnerabilities affecting all versions of Tectonic and Kubernetes versions 1.3 through 1.10. The vulnerabilities have been assigned CVE-2017-1002101 and CVE-2017-1002102, respectively.
Both bugs affect all versions of Tectonic and versions of Kubernetes from 1.3 to 1.10 that use Pod Security Policies (PSPs). The bugs can be used to bypass a PSP. If you aren’t using PSPs, you don’t have anything to worry about.
The first vulnerability involves the subPath parameter, which is commonly used to reference a volume multiple times within a Pod. A successful exploit can allow an attacker to access unauthorized files on a Pod with any kind of volume mount, including files on the host.
The second bug relates to mounting ConfigMaps and Secrets as volumes within a Pod. Maliciously crafted Pods can trigger deletion of any file or directory on the host.
To address these vulnerabilities, today we’re releasing two new versions of Tectonic:
- Tectonic 1.7.14-tectonic.1 to our 1.7 production and preproduction channels
- Tectonic 1.8.9-tectonic.1 to our 1.8 production and preproduction channels
Apply the update to your clusters by clicking “Check for Update” in your cluster settings.
In addition, this bug impacts the kubelet, which is managed at the infrastructure level. New clusters will install the patched kubelet version. If you have enabled PSPs on an existing cluster (which are not on by default), you will need to update your autoscaling group user-data or provisioning tool to install the 1.7.14 or 1.8.9 version of the kubelet, or update it manually.
All current Tectonic customers will receive an email alert about the bugs and the need to update. More information on the Tectonic update process and how to use the two channels can be found in our documentation.